Iran-Linked Eleven11bot: A Growing Threat from Compromised IoT Devices

A new botnet named Eleven11bot, consisting of over 30,000 compromised security cameras and network video recorders, is launching DDoS attacks primarily originating from Iran. Security researchers have noted its significant scale and have identified specific vulnerabilities in certain IoT devices. Recommendations to mitigate this threat include securing devices, monitoring network activity, and blocking malicious traffic.

A recently discovered botnet, consisting of over 30,000 compromised security cameras and network video recorders, is being utilized to execute distributed denial-of-service (DDoS) attacks against telecommunications providers and gaming platforms. This botnet, referred to as Eleven11bot, has been monitored by security researchers from Nokia Deepfield and GreyNoise. They report that it engages in extensive brute-force attacks targeting login systems by exploiting weak or default passwords typically found in Internet of Things (IoT) devices.

GreyNoise indicates that Iran is a significant originator of this botnet, with more than 60% of the 1,042 identifiable IP addresses linked to Eleven11bot traced back to that region. Although formal attribution has not been made, it is noteworthy that the botnet’s emergence coincided with newly imposed sanctions on Iran by the Trump administration, which aligns with the ongoing “maximum pressure” campaign aimed at the nation.

Experts in cybersecurity express concern about the formidable scale and persistence of Eleven11bot. Jerome Meyer, a security researcher at Nokia Deepfield, characterized the botnet’s scale as “exceptional among non-state actor botnets,” identifying it as one of the largest DDoS botnet campaigns documented since the Russian invasion of Ukraine in February 2022. The frequency and intensity of the attacks vary, ranging from hundreds of thousands to several hundred million packets per second, as noted by Meyer on LinkedIn.

Research conducted by Censys has revealed a compilation of 1,400 IP addresses that may be associated with Eleven11bot. Furthermore, GreyNoise has recorded 1,042 IPs targeting its sensors over the past month; concerningly, 96% of these devices are considered non-spoofable, thus confirming their authenticity as operational IoT devices. Additionally, GreyNoise has identified specific camera brands, such as VStarcam, which possess hardcoded credentials, rendering them particularly susceptible to such attacks.

To combat the threat posed by Eleven11bot, GreyNoise recommends implementing several protective measures:
1. Secure IoT Devices – It is advisable to change default passwords, disable remote access, and regularly update device firmware.
2. Monitor Network Activity – Organizations should analyze network logs for any anomalous login attempts, as adversaries often target Telnet and SSH credentials through brute-force tactics.
3. Block Malicious Traffic – Traffic from known malicious IP addresses should be restricted to mitigate the risk of further infiltration.

As IoT devices remain a prevalent target for cybercriminals, it is imperative for individuals and organizations to proactively secure their networked systems to avert exploitation by botnets such as Eleven11bot.

The emergence of the Eleven11bot, affiliated with over 30,000 compromised IoT devices, poses a notable threat to telecommunications and gaming entities. Traced predominantly to Iran, the botnet’s extensive reach and tactics warrant increased vigilance and security measures. Organizations are called upon to fortify their defenses against such sophisticated DDoS campaigns through proactive measures regarding firmware updates, login monitoring, and traffic restrictions. Overall, the situation underscores the critical need for enhanced cybersecurity protocols within the IoT landscape.

Original Source: irannewsupdate.com